SSL VPN Not Working Post ATP200/800 Firmware Upgrade

2

All Replies

  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    edited August 2022
    Can we turn on some other logging? At the moment the system log shows nothing. It doesn't even indicate an attempted connection.

    In my mind at least, the issue is definitely caused by something in the firmware update. Under Firmware Management we have "V5.31(ABFW.0)ITS-22WK31-r104914" loaded in 1 (Running). The SSL VPN does not work. If we click on "V5.30(ABFW.0)" in 2 (Standby) and click Reboot. After the reboot, the SSL VPN "magically" works. No changes whatsoever. In that short time, the Public IP on the client side wouldn't have changed, which means the IP isn't being blocked.
  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    edited August 2022
    We've done some more testing and the SSL VPN is working for some users. Well, one user but they have tested it at multiple locations (all Comcast supplied). Waiting for a couple more users to get back to me. Anyway, those who are affected (ie. can't use the VPN) are using Verizon's services. That is what I have and I've tried both my home internet and cellular hotspot. Neither work. Is it possible that some of the SSL VPN changes you mentioned prior (specifically MTU) could be unsupported by Verizon?

    Another user got back to me. They are have Blue Ridge Communications as the ISP and it does not work for them. In case it matters, we as a company are US East Coast based and Comcast is the ISP at our three sites.
  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    So much for the Verizon theory, just had two more users confirm that they can't connect to the VPN. Both are using Comcast. One of them also confirmed that they can log into the login page, so they know their password and the SSL VPN connection info is good.

    User (MAC=-) from http/https has logged out Device
    User (MAC=-) from http/https has logged in Device
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Hi @NEP

    After our discussion, currently, you decide to roll back to 5.30 firmware to keep the SSL VPN service stable. If you still need assistance in the future, please let us know. Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    That is correct, we rolled back to v5.30 because we have users that need to use the VPN. Please do not take our rolling back as a solution. It certainly is not, as it will most likely happen again with the next firmware that is released (barring any changes). Something is not correct with the newer firmware, however, at this time we can no longer help with finding out what that is.
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Following, I don't want to stumble upon this issue in future.
  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    Hello. Just installed v5.32 and we are still having the same issue. The SSL VPN won't connect. Same log errors as before. 5.30 works fine, 5.31 and 5.32 do not. I saw in the changelog that there was a MAC OS issue with SSL VPN and ports not being identical. Maybe we have something similar. In any case, I have left 5.32 running and will send @Zyxel_Jeff "limited_admin" credentials for our ATP. Hopefully this issue can be found and corrected. Thanks!
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Hello @NEP

    We can access ATP800 remote Web-GUI now, could you add zyxel support user account to vpn_group user group for us? We would like to establish SSL VPN connection to the ATP800 for troubleshooting purposes. I already sent a private message to you. Thanks :) . 



    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Hi @NEP

    We noticed the that root cause might be the limited-admin account. Using the limited-admin account cannot establish SSL VPN but if using a normal user account then can establish SSL VPN to your ATP800, as below:




    We confirm it's our current design.
    So, please use a user privilege account to establish SSL VPN connection with your ATP800.

    Besides, sometimes customers would make the mistake to use add an extra https into the SSL VPN server URL by accident or the wrong port number. That would lead to SSL VPN connection cannot be established as well.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    Answer ✓
    Using a limited-admin user is definitely not the solution. If you look under User/Group you'll notice that we have two admins and the rest are simply users. The limited-admin was created special for you guys to access the portal. Also, we don't use the admin users to connect with the VPN. That was disabled when you guys rolled out v5.00 I believe.

    That said, based on your screenshot, I was able to get connected. The issue being that I was using 9999 instead of 9998. However, this is not a solution either because prior to the upgrade to v5.31 and v5.32, port 9999 connected as expected. Why is it now broken with these updates? Is it not standard practice to use the same port? This is how the outside networking firm originally hooked it up.

    Again, this would seem related to "[Bug Fix] eITS#220701020 - SSL VPN client for macOS is not connected if HTTPS port and SSL VPN server port are not identical."

Security Highlight